FBI Anonymous Anti-Sec LCSO.org FOIA Documents

X Deleted Page(s) XX No Duplication Fee XX For this Page XXXXXXXXXXXXXXXXXXXXXXXXX

Total Deleted Page(s) 8Page 21 - b6 ; b7C; b7D;Page 22 - b6 ; b7C; b7D;Page 23 - b6 ; b7C; b7D;Page 26 - b6 ; b7C; b7D;Page 27 - b6 ; b7C; b7D;Page 38 - b6 ; b7C; b7E;Page 39 - b6 ; b7C; b7E;Page 40 - b6 ; b7C; b7E;

XXXXXXXXXXXXXXXXXXXXXXXX

FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1272054-0

b6b7C

UNCLASSIFIED

of LCSO was interviewed on b6.~~-~--~-~~~~-~4/23/2012 about a potential intrusion into the LCSO network. b7CI Istated that he had been contacted by an FBI Agent out ofSan Antonio (SA) and told of a possible computer intrusion backin January of 2012. I Istated that he attempted multiple timesto reach back out to FBI SA with negative results.

L...-_~Istated that he believed that the intrusion attempt b6was un-successful and provided logs and data. Writer and SA b7CI I advised I I to look again for the possible intrusion bychecking server logs and legitimate user accounts for unusualactivity and gave him an overview of criminal hacking proceduresand techniques. I I called Writer back on 4/23/2012 after themeeting to report that he had found a user account that was beingaccessed for illegitimate purposes and was going to contipue theinvestigation.

HQby

b6b7C

Details: On 4/23/2012 SAl land SAlof FBI JK met withl I at~I------------~~~~~----r--~Florida 32778 to discuss information that was passed from FBIon 4/21/2012 to SAl I about a possible computer intrusionI I into the t;cso network. .

Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE - VICTIM

countySynopsis: To open case and document meeting withSheriff's Office (LCSO).

b7E

Drafted

Approved By:

Case ID

b6b7C

To: Jacksonville

Date: 04/24/2012Precedence: ROUTINE

FEDERAL BUREAU OF INVESTIGATION

UNCLASSIFIED

From: Jacksonville11Contact: SA L...-r---...,...---------- .....

•(Rev. 05·01-2008)

b7Db6 Ib7C

b6b7C

b6b7C

2

UNCLASSIFIED

FBI ALAT Bucharest provided the following:

LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,

Table name: SO TBL USERACCESSData:

FBI SA provided the following:

Writer reached out to Cyd HQ, Bucharest ALATI I~----~I, and FBI SA on 4/23/2012 to coordinate the investigationand collect information pertaining to the possible intrusion atLCSO. The following is the details of the information that wasprovided:

To: Jacksonville From: JacksonvilleRe: 288A-JK-NEW, 04/24/2012

UNCLASSIFIED ••

3

UNCLASSIFIED

I

b7Db6 Ib7C


•UNCLASSIFIED•

b6b7C

b7D

b6b7Cb7D

4

UNCLASSIFIED

Based on the above information Writer requests the abovecase be opened and assigned to SAl and Co-Case SA

I I••

ALAT Bucharest advised that!

[please note, some of the above may be misspelled]


•UNCLASSIFIED•

~.'<I!.W'". ~. .~. Jot

•. ~.;.:-~';~,!t'~;;%~~.sf.::.;..~..:.,..\~J;:;~ ..~/': ,~'~ ".,. .. ,,"

Item .Date To be returned DispositionFiled Yes No

, .. ,

..

" ,,,

,

.'

!

.

. .,

..

.

(Title) _

(FileNo.) 2~kJ"- £335:'/'

~D-340a (Rev. 1-27-03)

Ii

..,

,,_~,,e.~

F.~b6

" b7C

~

o Original notes re interviewofDescription:

(Communication Enclosing Material)Reference:

r j

~No

~ NoFederalTaxpayer Information (FTI)

DYes

To Be Returned 0 Yes 4p NoReceiptGiven 0 Yes ~ NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)FederalRules ofCrirninal Procedure

DYes

By 51A I(City and State)

(Address)'

_,t'r,,..- .'!_ '.'

, '. (Name ofContributorllntcrviewcc)

• -"I•.:.....i ....__;:-, - -,.,

From

" ~"Date Received

. .

Field Office Acquiring' EVldenee ' __ ., "0X~' ..L,'~',':..",...' ,,..,..',_.' ., __ '..;.,'~, '_',,!-,-' '0,:..',",,-.,' __~ ,..." .:,.-;'.,...'.,_:<_',...'/_"',...:'<! __' _': ., :;,-:'_'.' .~.~:~

Serial # of Originating Do'cu,inent--:-- ....~...., .,;,;::~,'..;.....,........,_....,....,-:--;.......,.__,..._,_'''~-,....__,...'.;~'., ,..0---",~..- ~ . -

cP'1 ).~lo I ~<:p is: ,

I'

I,

b6b7C

o Original notes re interview ofDescription:

Reference: _(CommunicationEnclosingMaterial)

To Be Returned 0 Yes ~~"Receipt Given Jl.l Yes .FiJGfJGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure

DYesFederal Taxpayer Information (FTI)

DYes

By 5;&1

(CityandState)

(Address)

Serial # of Originating Document _

::~~ ... Ived 1/?>f ( t.cso~------~~(N~a~m~eo~fA~=n~m~bu~to~r~~nre=N~ie~~=)~------------

3<;;0 \,J ,,(J, '8 5 T

-FO-340 (Rev. 4-11-Ol)

File Number ~ 88f) , \J'K - S33~L{field ornee Acquiring Evidence _:J~...1.K'~ _

oo-

(" ART ~prvir,p RPl111Pc:t("nnfirmMinn - 1A M~tpri~l IPrintp/J nn OdI?7I?OI?\

6061 Gate ParkwayJacksonville! FL 32256, ,JKI External HOD containing backups and imagesof three (3) virtual servers and logs.C9PyHDDTo,Be Determined

b6b7Cb7E

FBIJK

b6b7Cb7D

b6b7C

44687Exam04/27/20122 (Priority)05/0212012

Assign Request To:Evidence to be Examined:Request Description:Legal Authority:

SUbmitting Agency:Agency Case/File Number:Contact Information:

Case Synopsis:

Service Request ID:Request Type:Request Date:Request Priority:Requested Completion Date:Investigative Request? YesUCFN: 288A - JK - 53354Case Agent/Investigator: I ICase Agent/Investigator Field Office: IJKCase AgentlInvestigator Supervisor: .-,-------.Case Title: UNSUB (S); LAKE COUNTY SHERIFF'S OFFICE - VICTIM

Your Exam service request has been entered into the system and is pending review by the JK office. A representative, from the JK office will contact you shortly regarding thestatus of your request with further information and instructions.

•-

b6 Ib7C

Received By: I Received From:i L--- ~_:-f -

. - -, - r

!

II

r

-

srr: (c EO TTIf)

Description of Item(s): \,AIe5h.;(1 I2g ,-kt I All y $~0 k ~It" "',~&11 f/;(_/"7iJt~ tCc~kttf r alA d r,."aJ&~ 6 ;D

- .- I~a gq~ .

(City)__ -:-.:..o....:-. ''""'"-"..-'.:-_,~."...--......;"..;~".......,. ~ _

\

r ."'-"File #

,UNITED STATES DEPA&TMENT OF JUSTICEFEDERAL BUREAU OF INVESTiGATiON "

Receipt for Property' Received/Returned/Released/Seized

Page _-::-_0£ .L:FD-597 (Rev 8-11-94)

b6b7C

'below were:t"'t>,,,t>rt From

d To.I.'\.v."a;)vu To

, '",,'-_,::...-:::

b6b7C

.,

,.I..

b6b7C

"j

Description: jQ Original notes re interview of


r:..j

00 NoFederal Taxpayer Information (FTI)

DYes

To Be Returned 0 Yes ~ NoReceipt Given 0 Yes 9 NoGrand Jury Material- Disseminate Only Pursuaht to Rule 6 (e)Federal Rules of Criminal Procedure

DYes

By

(Cjty and State)

(Address)>f -"

.jI FO·340 (Rev. 4·11"()3)

t-··

4460 wasfiYlgtoYl Road • SlAite 2Q • EvaYls,Georgia 30809Office 706.854,8838 • Fax 706.854.8022

\

',j

"o "

," 0~:

" ~ ,1

-¢l?

",.,:0

DAILY GRIN

"

b6b7C

;.

Description: 0 Original notes re interview of

VCe-$"5 /eIC~.f-C- ~<ffcJ

.. (Communication Enclosing Material)Reference:

fl No

"

j By SAI ~~------------~--------------------I ' To Be Returned 0 Yes ~ No

Receipt Given 0 Yes lfJ NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure

DYes ji3 NoFederal Taxpayer Information (FfI)

o Yes

(City and State)

(Address)

~ I

t3 u cho (~.),'(Name orContributorllntcrvicwec)

From AUTDate Received

Serial # of Originating Document "'_. _

Group leader was identified as the accused BALAEASA Gabriel, 24, of Piatra Neamt,known in the virtual environment with nicknames "lulzcart, anonsboat, anonsweb, Cartman."

This, together with Gabor and Picos Fabian accused Michael Emil was a group, joined byother people involved in the cyber terrorist attacks.

The group conducted an extensive criminal activity specific for cybercrime, whichconsisted of illegal access to computer systems, misuse of confidential or non public andpublished in the online environment seep data.

Databases confidential 1classified subjects were given preference for public institutionsand businesses, both in Romania and abroad.

For technical and practical way of operating, cyber attacks launched on the target serverand Web pages, were SQL injection, using different applications, namely Havij, SQL, etc.Map. In most cases, after compromise and obtain unauthorized access to targeted sites, thegroup members brought changes to computer data, executing attacks "deface", consists ofapplying a web page instead of the main site, which was to change general in certain postingmessages, links and images that promote group claims attack and hackers.

Attacks were launched in order to obtain computer data, appropriate data were copied 1transferred without the right and subsequently published in the virtual environment on varioussites as evidence of hacking activity.

Group members did so to launch attacks on a total of 29 sites, information infrastructuresuch unauthorized penetration achieved by infringement of security measures implemented inthe server that housed the target Web sites. .

Criminal activity led to total or partial compromise of Internet sites and areas covered,resulting in significant costs to recover data and implement new security measures. .

At the D .I.I.C.O.T. will be brought to hear 12 people, to which research is carried out forcrimes without the right to access information systems in order to obtain computer data inviolation of security measures, modification of computer data without right and unauthorizedtransfer of data a computer system provided. of art ..Article 42. 1,2,3 and art. Article 44. 1,2of Law no. 16112003.

The investigations were carried out with the judicial police officers in DCCO. - S .C.C.!.and Special Operations Division.

The action was carried out with the support of the Romanian Gendarmerie.Technical support and information was provided by SRI.

Prosecutors Department for Organized Crime and Terrorism - Central structuredeconstructed a criminal-group, consisting of 14 persons, so they carried out 12 house searchesin Bucharest, Iasi, Alba Iulia, Piatra Neamt, Cluj Napoca, Turnu Severin, Arad, Craiova andTargu Mures Resita. .

PRESS RELEASE05/29/2012

Acesta, tmpreuna cu tnvinuitii Fabian Gabor sl Picos Mihai Emil a constltult '0 grupare, lacare,au aderat ~i alte persoane, implicata in derularea agresiunilor de terorism cibernetic. -

Gruparea a desfasurat 0 vasta activitate lnfractlonala speciflca, de, crimlnalltatainformatica, ce a constat in accesarea i1egalaa sistemelor informatice, sustragerea de dateconfldenflate sau nedestinate publicitatii, precurn ~i publicarea in mediul on-line a datelorexfiltrate.

Bazelede date confidentiale/clasificate vizate erau de predllectle administrate de lnstltutll~i persoanejuridice publice, atat din Romania cat ~i din stralnatate,

Din punct de vedere tehnic ~i al modalitatii concrete de operare, atacurile Informatlcelansate asupra serverelor ~i paginilor web tinta, erau de,tip Sql Injection, prin folosirea unordiferite aptlcatu informatice, respectiv Havij, SQl Map, 'etc. In majoritatea cazurilor, dupacompromlterea ~i obtlnerea accesului neautorizat la site-urile vizate, membrii grupariiaduceau modiflcarl datelor informatice, executand atacuri de tip "Deface", constand inintroducerea unei pagini web in locul paginii prlnclpale a site-ului, modificare care consta ingeneral in postarea anumitor mesaje, link-uri sl imagini prin care se revendica atacul ~i sepromova gruparea de hackeri.

Atacurile erau lansate in scopul obtlnerii de date informatice, date care erau dupa cazcopiate/transferate fara drept sl publicate ulterior in mediul virtual pe diverse site-uri, cadovada a 'activitatii de hacking.

Membrii gruparii au procedat astfel la lansarea de atacuri informatice asupra unui numarde 29 de site-uri, patrunderea neautorlzata in respectivele infrastructuri lnformatlonalerealizandu-se prin tncalcarea masurilor de securitate implementate la nivelul serverelor caregazduiau site-urile web tinta.

Activitatea infractionala a dus la compromiterea totala sau partlala a paginilor ~idomeniilor de internet vizate, generand costuri semnificative in vederea recuperaril datelor~i lmplementarll de noi masurl de securitate .

Procurorii Dlrectlel de Investigare a Infractiunilor de Criminalitate Organizata ~i Terorism- Structura centrata au destructurat 0 grupare,infractionala, constltulta din 14 persoane, sensin care au efectuat 12 perchezltll domiciliare in municipiile Bucure~ti, Iasl, Alba lulia, PiatraNeamt,Cluj Napoca, Drobeta Turnu Severin, Arad, Craiova, Re~ita ~i Targu Mure~.

Liderul gruparif a fost identificat ca fiind invinuitul BAlAEASA Gabriel, 24 de ani, dinmunicipiul Piatra Neam], cunoscut in mediul virtual cu nickname-urile "Iulzcart, anonsboat,anonsweb, cartman". '

COMUNICAT DE PRESA

29.05.2012

Comunicat de presa - 29.05.2012Marti, '29 Mai 2012 00:00

http://www.diicot.ro/index.php?view=articlc&catid=38:mass-m ...Comunicat de presa - 29.05.2012

5/29/129:58 AMlof2

Cercetarileau fost efectuatetmpreunacu oflterl de politle judiciara din cadrul D.C.C.O. -S.C.C.I.~i DlrectiaOperatlunlSpeciale.

Actiuneaa fost efectuatacu sprijinul JandarmerieiRomane,

Suportul tehnic'~i informativ a fost asigurat de catreSRI.

La sediul D.LI.C.O.T.vor fi aduse in vedereaaudierii 12 persoane,fata de care seefectueaza cercetarl pentru savarslrea lnfracflunllor de acces fara drept la sistemeinformatice, in scopul obtlnerli de date informatice prin lncalcarea rnasurllor de securltate,modificare fara drept de date informatice ~i transfer neautorizat de date dintr-un sisteminformatic, prey.deart. 42alin.1, 2,3 ~i art. 44alln. 1,2 din Legeanr.161/2003 ..,

http://www.diicot.ro/index.php?view=article&catid=38:mass-m ..." ..."

Comunicat de presa - 29.05.2012

5/29/129:58 AM20f2


J&] No

To Be Returned 0 Yes lSi NoReceipt Given 0 Yes 121 NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure

DYes g] NoFederal Taxpayer Information (FfI)

DYes

Original notes re interview of

I~-r ?f,'ffrtr1T <iF- ~vjp"ce ·Description: 0Letfrl .froVVl I

jl r!IF~1~34~)~30~------------- (City and State)

tBy sf I

Date Received 5130/, .;lFrom J L

Serial # or Originating Document _

Field om« Acquiring E~ldence _~\J~.r...I<~ -:

'.

~

b7D-

!

::

'"• ,I

"

\. p

f b6,t

b7C.'

'. "

:

.: ,

_"

-I,,

·1' '

~' 'II b7D

v:

".! ,, , r ..~~

•~ . .~. ,..

CART Service Request Confirmation - lA Material (Printed on 05/30/2012)

copy media and give to SA and retum originals to evidence.Consent

904-2487214JK

JK

b7D

b6b7C

45405Exam05/30nOl22 (priority)06/0sn012

Submitting Agency:Agency Case/File Number:Contact Information:. Assign Request To:Evidence to be Examined:Request Description:Legal Authority:

Service Request 10:Request Type:Request Date:

. Request Priority:Requested Completion Date:Investigative Request? YesUCFN: 288A - JK - 53354Case AgentlInvestigator: SAl ICase AgentlInvestigator Field Office: JKCase AgentlInvestigator Supervisor: SSALI ...I

Case Title: UNSUB (S); LAKE COUNTY SHERIFFS OFFICE - VICTIMCase Synopsis: ,..:O~ni!.,,2=..lwAi:l~pl:!lr~il-=2~0.!.i12!:.1U Jn,l!!::::ot~ifi~le~d..!:L~E~G~A~T~B~u~c:!!h~are~s~t.!:th~a~d ~

Your Exam service request has been entered into the system and is pending review by the JK office. A representative from the JK office will contact you shortly regarding thestatus of your request with further information and instructions.

CART Exam Service Request Confirmation - lA Material

b7D

" I,"'..

e:b6b7C

/;

~

b6b7C

L_ ~~

-Description: o Original notes re interview of

(CommunicationEnclosingMaterial)Reference:

Title:

rn No

;, ToBeRetumed D Yes ~ No

Receipt Given 0 Yes ~ NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure

DYes 51 NoFederalTaxpayerInfonnation(F11)

<

DYes

By SA I') (City and State)

(Address)I

Tov are~ I Fi , 3 ;).77 8'

From ,r.~; afl",c e----~~--~~--~--7(N~am=e~o~f~C~o=nt~ri~bu~t=ot~/l~nt~eN~ie~w=ee~)~~~------------_;------

3({J Werr- ~ v-b'1cs:+(~T/

Date Received

Serial # of Originating Document '~ __=_

Fjeld Office Acquiring Evidence

"

~ Description: 0 Original notes re interview of

I CYj C6c. Cfr ED- 19'Z..:t llS 1 ~o,_ .1-g?~

'.- .

.;tI:. Reference: -...,.~I;,;;::,....,._-------------,.-_::_

(Cominunica'tionEnclosingMaterial)

.rf (CityandState) , 1;· r. frEer 4i'By --"-l..~"""-"--L_ __ J__----------,~lt To Be Returned 0 Yes 0 No I.t:( Receipt Given 0 Yes Cl No 1,t Grand Jury Material- Disseminate Only Pursuant to Rule 6 (e) 4f Federal Rules of Criminal Procedure 'l:,1. 0 Yes 0 No ,.1,t' Federal Taxpayer Information(FfI) V-

i 0 Yes 0 No i't Title: ,;

l'y.

t

., )'"

,,

b6b7C

..,Date Received __ --;::===::::;- _l From' ~b It ----~~-1--~c~,,-=,J,!~o~fcfcownm~·bbtU~w~dl~nt~eN~i;e~~)----------- 'I! ;; (Address)

1 Serial # of Originating Document _3~_7=-,- " _~i

i

Case Number: 288A-JK-53354Owning Office: JACKSONVILLE

Q4/25/2012BIN14CARTLocation: ECRBarcode: E472S431

WESTERN DIGI~AL MY BOOK STUDIO EXTERNAL HARD DRIVE,SN: WCAZA3,18'8836(2TB,W/POWER SUPPLY & USB CABLE)CONTAINING: BACKUPS & IMAGES,OF LEO APP1, LEO CITRIX,APP2{LEO TTA), AS WELL AS LOGS FROM LEO APPL, LEOCITRIX,LEOASP1,WEBSITE LOGGING

Date EnteredDe'scriptionof Property:1B 1

Case Agent:I

Anticipated Disposition: Acquired By:I

--_ ,'_'

b6b7C04/25/2012 360 W RUBY STREET

TRAVORES FL 32778 .

Date Property Acquired: Source from which Property Acquired:LCSO

,LAKE COUNTY SHERIFFS OFFICE

Title and Character of Case:,

ICMIPR01Page 1

O.~/25/1216:16:22-

Case 10: ~<g~A - JK- 53354Firearms Certification:Printed Name: Signature: Date: _

IB: __ -I- Barcode: G' '-17 ;?51/-3[

Reason:Reason:

Printed Name:Printed Name:

Signature: Signature:

I-S_ig_n_at_ur-1eh--r:======:!=::::;-__ -t lfj')..5/;)01J. b7CI I I \/Printed N~: I I /0:001}VV\ l'

Reason: Collected

o FOJo Refrigerate

o Batteries 0 Biohazardo HAZMAT 0 Latentso Req. Charging 0 Noneo Other

b6

FEDERAL BUREAU OF INVESTIEVIDENCE CHAIN-OF-CUSTODY

FD.I0Q4Revised

§·16·2009

o Firearm/Weapono Firearm/Other

o DrugoValuable

Evidence Type: 0 General~CART

Case ID: IB: Barcode: _

Reason:Reason:


Signature:Signature:

Reason:Reason:

Printed Name:Pr_intedName:

~ Signature:Signature:

Rea~on:



.¥ ,; ...~ ....

", .':Date and -,- -. 'TillIe'· ,

.Reason:Reason:



,,' .

. D~te and". :Accepted:Custody,:,< ,; ': . '~.':,:':" " .' ,D~t~'arid;:~::, "Time",'" ,,:: "',' "',>~-/,-:::->:,:, ·J,:~tP~";':--<

, "'.','

Reason:Reason:

Printed Name:Printed.Name:


Reason:Reason:


Signature:'Signature:

Continuation Page

EVIDENCE CHAIN-OF-CUSTODY

...

:A.ccept~~·C~siO~1-:....:.: .',-,:':;:;; ,~Dat'e ~rt'd;Y." , , ': .:,rime .: ,~',..',Date ahd '~.'

-Tlme

Received By: L...I __ ----.,.. __ ____JI--- Received From: 1L.. _;--- __ -~-_. ~~ .. ~~c.j-". ~_=";:J.

~s~

-'

" / I 7

!tlf2 ( L EO T7 A)/ eQ C;/ r,' X

FL J..27711(Name) LIA keG (() tAn f't ~4e /',r Fis 0 f(,'c,e 1(Street Address) J?O Wb~t !(t/;l~ .5fkcf TaVQ1/'-e.s

-_7 7(City) ,-- \......:;_"'< _

UNITED STATES DEPARTMENT OF JUSTICEF£DERAL BUREAU OF INVESTIGATION

Receipt for Property Received/Returned/Released/Seized

File # ;)~?lA - J 1<- 5335'i

I of IPageFD-597 (Rev 8-11-94)_f

b6b7C

item(s) listed below were:G:VReceived FromD Returned ToD Released ToD Seized

On (date) LJ/_asjao I J.

Case Number: 288A-JK-53354Owning Office: JACKSONVILLE

1.2: SEAGATE 1TB HDD, SN:W1D07MG6 (EXCHANGE LIVE ACQUISITION,4/30/12, SECOND ORIGINAL FORENSIC IMAGE,2.2: SEAGATE 1TB HDD, SN:W1D06LAK (LOG SERVER_4/30/12,SECOND ORIGINAL FORENSIC IMAGE)3.2: SEAGATE 500GB HDD, SN:9QM9T8PD (IMAGES FROM LCSO,LEOCITRIX, LEOAPP1, LEOTTA APP2, SECOND ORIGINAL FORENSICIMAGE)4.2: COMPACT DISK (CD), COpy OF LSCO-120490-4 CD REC'D FROMLCSO HELP DESK E-MAIL5.2: SEAGATE 500GB HDD, SN:W1D072K7 (IMAGES FROM (USERS +DEPTS BACKUP FROM 3-31-12) SECOND ORIGINAL FORENSIC IMAGE6.1: SEAGATE 1TB HDD, SN:5VP9S0H9 (IMAGES FROM LSCO 5/7/12,ORIGINAL FORENSIC IMAGE)

Date EnteredDescription of Property:1B 2

05/30/2012CART 131 tJ IY.Location: ECRBarcode: E4725693

b6b7C

Case Agent:I

Anticipated Disposition: Acquired By:

05/30/2012

b6=D-a-:-te-P=r-o-p-e-r--:t~y--:A:-c-q-u--:i:-r-e-:d;-:--::S~o-u-r-c-e--;::'f-r-om-w--:h;-~-:-'c""h--:P:::-r-o-p-e-r""7t-y---=A-c-q-u""":i-r-e-:;d:-:--------'b7c

b7D

LAKE- COUNTY SHERIFFS OFFICE.HTTP PASTEHTML COM VIEW BW2M4UWHB HTML

Title and Character of Case:

ICMIPR01Page 1FD-192

0.2/04'1209:03:36

IB: __ _..;;;.~-=-- _

Firearms Certification:Printed Name: Signature: Date: _

Barcode: El{7a 5<093Case ID:J'6'8fr- J/4-5335~

..__~ 5/3(:'/1 ~!:;':Y/ pM

Reason:

b6b7C5/30/1d

I-----I.___,...-----,-, ,-1',-,----1,) ~CkJptV\

o FGJo Refrigerate

o Biohazardo LatentsoNone

o Batterieso HAZMAT

o Firearm/Weapono Firearm/Other

o DrugoValuable

Evidence Type: 0 Generalo CART

FEDERAL BUREAU OF INVESTIGATIONEVIDENCE CHAIN-OF-CUSTODY

li'D-I004Revised

9-16-2009

b6b7C

Barcode: ._. _IB: __Case ID: --_". _.~, _

"Reason: Reason]

Printed Name:

Signature: Sign~_tm.e:... , . ~t-P-r-in......:te::..d.;_N-a.,.·m....,~..;.:_;....;..~--.,.........;;.,::..--.._-·,..."·-.;.,;,,.;-_;~, ".:". '

~--------------------------------~

Reason:

Printed Nan:.~:

Signature:

Reason:Reason:

)Printed Name: Printed Name:


Reason: Reason:



Reason:

Printed Name:

Signature:

Continuation Page

EVIDENCE CHAIN-OF-CUSTODY

S:\ORAFTS\S~RUl~r\117sp0212.wpd;

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.

Not dictatedFile # 288A-JK-53354 _..}- Date dictated----------------------------------------------~ __ S_A~I Jr=J~~--------------------------------------

04/26/2012 at Jacksonville, Florida____;_ _.;... -Investigation on

The screen captures and.web page content pdf were copiedto a CDR and placed in an FD-340 1A envelope and added to the lAsection of the case file.

http://pastehtml.cQm/view/bw2m4uwhb.html

The resulting web page appeared to be a tree listing of the LakeCounty Sheriff's Office (LCSO) server files. The web page, r-'~::.:' f=--_...,printed, would have been 194 pages in length; therefore, SAl b6sayed the web page to a Portable Document Format file (PDF). SA b7CI I then captured a screen print of the top of the web page,scro11ed to the bottom of the web page and captured another screenprint.

On April 26, 2012 Federal Bureau of Investig-ation (FBI)Special Agent (SA)I I connected to the Internet and' b6navigated to the following Uniform Resource Locator (URL): b7C

Date of transcription 04/26!2012

- 1-


b6b7C

•~ _ t..

FD-302 (Rev. 10-6-95)

b6b7C

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency. s:\ORAF'I'S~ ~1.2011..2.wpd

b6b7C

Date dictatedFile # 2881\-JK-53354......t1by SA

4/30/2012 at Tavares, Florida--=---:....-----Investigation on

b7Cb7D

b6

On 4/27/2012 of the Lake b6county Sheriff's Office (LCSO) at 360 West Ruby Street, Tavares, b7CFlorida 32778 was contacted telephonically to discuss theinvestigation into the LCSO network intrusion. Writer informedI I that data related to the intrusion had been placed on-line atthe Uniform Resource Locator (URL)http://pastehtml.com/view/bw2m4uwhb.html. The resulting web pageappeared to be a directory tree 'listing of the LCSO files. The webpage, if printed, would have been 194 pages in length and containedthe names of directories and files that may have been exfiltratedfrom the LCSO network. It was later learned that four (4) fileswere posted to pastebin.com which were named Cyber Crime.zip, 911Calls.zip, Swat Team Files.zip and Full Dump With Even More filesthen above.zip. Writer downloaded the above referenced files whichwere over 4.7 GB of data. I I said that he would report theposting of the data to his command staff.

During the night of 4/27/2012 I I contacted writer b6again multiple times about email that was sent out to all the users b7Con the LCSO network from the hackers. The email informed al.ltheusers that received the email that the LCSO network had beenhacked. Writer again informed I I that it was safe to assume thatthe entire LCSO network was compromised and that proper incidentresporse and remediation should be undertaken by an outside firm.

asked if Writer could recommend any good groups to whichWriter gave I I a list of IT consulting firms. I I said thatthey had changed all the passwords that they believed werecompromised but that obviously did not work. He stated he wouldbrief his command staff again and emphasize the severity of thesituation and the need to have an external professional team comein and conduct the proper incident response and mitigation.

On 4/28/2012 I I met with I Iwhich is a CyberSecurity Firm located at IL--__ ~ =---------- ~ :--~~I~I~~~---~--~I Writer reached out to contacts in the TampaDivision and was assured that was a credible C ber SecuritFirm. ~~~~~~~~~~~~~~--~~~~~~~~~~~~~~~~~-,

Date of transcription 04!30/2012

- 1-


FD·302 (Rev. 10·6·95)t'

b6b7C

I

news.softpedia.com/news!AntiSec-Hackers-Leak-40-GB-of-Data-fromLake-County-Sheriff-s-Office-266784.shtml

paintsthefuture.com/lake-county-sheriffs-office-hacked-by-antis~cand-leaked-4-7-gb-of-stolen-data/

Writer identified the following online reports about theintrusion:

s.\DRAFTS\lc=::::J.il2Dll2.'Wpd

FBI HQ Cyber Criminal PM SSA who has b6been working with Jacksonville on this intrusion was updated and b7Cadvised of the current situation and continues to coordinate withFBI Jacksonville.

On 4/28/2012 with the LCSO b6reached out telephonically to Writer about a possible press report b7Cthat would be coming from a news team out of the Orlando area. Thenews team received a tip and was asking LCSO for astatement/interview. Writer contacted and briefed I~--------------~of FBI Jacksonville on the situation. I I contacted ~I ...and asked him to limit his comments if possible and would notobject to mentioning the FBI if he and/or the Sheriff thought itwould help. I lof the Office of Public Affairs, NationalPress Office, FBI HQ was briefed on the situation and advised allto use the statement "We1re aware of this report but cannot commentfurther."

contacted Writer and provided his cell phone number b6~------_'--~Iand office number I I and said that they were b7Ctaking steps to secure the LCSO network and would retain any andall evidence of the intrusion to assist in the on-goinginvestigation. I Ibelieved that the intrusion was related tomultiple other intrusions by the same group of hackers and hadlocated several IP addresses that he believed went back toinfrastructure controlled by the hackers.

On 4/28/2012 I I informed Writer by telephone that the b6Florida Department of Law Enforcement (FDLE) had contacted him b7Cbecause of some information they had received about the intrusioninto the LCSO network. Writer s oke with of FDLE and

for FDLE and~~~~~~_r~~~~~~~------------------~s.

( 'IFD-302a (Rev. 10-6-95)

, Page _....:2=--__________________________________________ ,On 4/30/2012Continuation of FD-302 of

b6b7C

I

S: \OAAFTs\lL.__ ---Ih 20112. wpd

on 4/30/2012 I I was contacted telephonically and b6stated that the LCSO was in lock down mode with the email server b7Cand website down as well as other services and that they were b7Dworking withl Ito review all systems and bring them up one ata time once they had been secured. I I is currently collectingdata related to the intrusion and cop1es will be made and providedto the FBI to support the ongoing investigation. News channel 9reported the LCSO intrusion.

gnsec.com/modules/d3pipes/index.php?page=clipping&clipping_it71380

On 4/30/2012 I I stated via telephone that they had b6collected images of drives and other evidence of the intrusion and b7Cbelieved that it involved three 3 people, 1 in the US, 1 in Moscowand 1 in the Ukraine.

jimmy89vl.blogspot.com/2012/04/lake-county-florida-sheriffsoffice.html

Ii 'lFD-302a (Rev. 10-6-95)

(.4. "

,Page _3_________________________________________ ,On 4/30/2012Continuation ofFD-302 of

S~\DRAFTS\JMBOL~N\~~6jbOl12.wpd

This .document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.

b6b7C

by SA

Date dictated_..;

File # 288A-JK-53354 - b4/25/2012 at Tavares, Florida____-=-- :..,._ -Investigation on

I I was interviewed about a potential intrusion into b6the LCSO network. I Istated that he had been contacted by an FBI b7CAgent out of San Antonio (SA) and told of a possible computerLntrus Lon into the LCSO back in January 2012. I I stated that hechecked his systems and found no evidence of the intrusion andattempted multiple times to reach back out to the FBI SA withnegative results.

~ ~I was asked about any new intrusions into the LCSO b6network and stated that there were un-successful attempts and b7Cprovided logs and data to back up his conclusions. Writer and SAI I advised I I to look again for the possible intrusion bychecking server logs and legitimate user accounts for unusualactivity and gave him an overview of criminal hacking proceduresand techniques. I I called Writer back on 4/23/2012 af'terthemeeting to report that he had found a user account; that was beingaccessed for illegitimate purposes and was going to continue theinvestigation. I Iwas given part of a database table that FBISan Antonio had provided to Jacksonville when Jacksonville hadreached out and inquired about the January 2012 contact with LCSOafter'leaving the LCSO meeting.

On 4/25/2012 Writer met with I I and other 'stafffrom b6the LCSO. LCSO was again informed that the FBI had an open ongoing b7Cinvestigation into the intrusion and was working with internationalpartners. I I provided one (1) hard disk drive (HDD) thatcontained ,mages1of 3 virtual servers, logs and data related to theintrusion. was given a property receipt (FD-597) for the HDDand signed a consent to search computers form. The HDD was placedinto evidence and a CART request was completed requesting theimaging of the drive. HQ was contacted and forwarded a case supportrequest form for assistance in reviewing the HDD and data providedby LCSO.

b6b7C

On 4/23/2012 SA I Iand SA I lofFBI JK met with I lof the Lake CountySheriff I s Off,ice (LCSO) at 360 West Ruby Street, Tavares, Florida32778 to discuss information that was passed from FBI HQ on4/21/2012 to SAl I about a ,possible computer intrusion byI I into the LCSO network.

Date of transcription 04/25/2012

- 1-


FD·302 (Rev. 10.6·95) •r

•

b6b7C

b6b7Cb7D

b6b7C

UNCLASSIFIED/ /FOR OFFiCIAL "{JSEq!S'JJI~FTS~.r--""U20212.WPd

(UtiFOUo+ LCSO was unsuccessful in fully eradicating themalicious actors, and on 27 April 2012 the LCSO mail server wascompromised and used to distribute a mass e-mail message alertingall system users to the intrusion activity. One of therecipients of the message 'wasthe Florida Department of Law

(U//FOUO) FBI Jacksonville immediately notified LCSO ofthe suspected intrusion. On 23 April 2012 Jacksonville met withLCSO and provided them an overview of criminal hackingtechniques. Shortly thereafter, LCSO identified an unauthorizeduser account being accessed for illegitimate purposes. LCSO wasinstructed to begin remediating the problem and capturingforensic evidence.

Synopsis: To update case.

Details: (Uj/FOUO) On 21 April 2012not~~'f~~~'e-d~~L=E~G~A=T~B~u-c~h-a-r-e-s~t~t~h-a~t--~


Case ID #: 288A-JK-53354

Drafted By:

Approved By:

From: Jacksonville1~Contact: SA ~ __~==~ ~

~ L.....-_JI sf, Il-1.

o .,Le(Pending)

To: Jacksonville



UNCLASSIFIED/ ZFOR OFl"IC!AfItlSEONLi::

(Rev. 05·01·2008)

2

UNCLASSIFIED//FOR OFl"IeIAL OSE ONLY

••

8 .

7.

6.

5.

4.

3 .

2.

Enforcement (FDLE), the state's central law enforcement agency.Later the same day, Twitter user "EviISecurity" tweeted links toapproximately 4.7 GB of LCSO's data, as well as a username andpassword to an account on Leso's mail server.

< (u//~) On 28 April 2012 the Romanian-owned websiteSoftpedia reported the theft of 40 GB of data from Leso. Thebreach was attributed to Operation AntiSec, a series of hacksperformed by members of Anonymous and LulzSec. According toSoftpedia, one of the hackers, presumably I I, claimed 35 GB b6of the stolen data consisted of law enforcement software b7Capplications. The remaining 5 GB, which was posted online,consisted of "everything stored in the office's internal networkthat could be considered of value," including cyber crimeinformation, audio recordings of 911 calls, photographs andpersonal details of SWAT operators, subpoena records, and FBIIntelligence Bulletins.

Investigative Action Plan: (u~ Jacksonville is currentlycoordinating this investigation with LeSO, FDLE, FBI Phoenix,LEGAT Bucharest, and I I The following investigative activity b7Dis ong linn nr ::Inril""in::lrl=>"· I1. b6

b7C

To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, 04/30/2012

UNC!SSIFIED/ IFOR Oli'FIe:!A!J USE'NLY.", ,

S:\ORAFTS\~OL1N\122jbOlt2.wpd

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FB[ and is loaned to your agency;it and its contents are not to be distributed o~tsille your agency,

b6b7C[]~-----------------------------------------------------------------------------------------------------

Not dictatedDate dictated

(telephonically)at Jacksonville, FloridaInvestigation on 05/01/2012

Fi[e II 288A-JK-53354 ".....'1by SA I

According to a conversation I Ihad with Lt. c::J b6~ ~~~I who coordinates the Leso S.W.A.T team, there were no FBI b7Cagent's personal information obtained.

Lt. I, Lake county Sheriff's Office (LeSO), b6Florida was interviewed by the Federal Bureau of Investigation b7C(FBI) regarding a recent computer intrusion into Leso. After beingadvised of the identity of the interviewing Agent and the nature ofthe interview, I Iprovided the following"information:

I I contacted FBI Special Agent (SA) and b6advised that she had gone through the files that they believe were b7Ccompromised and identified a file named FBI UPDATE TARGETING OFPRISONERS FOR IDENTITY THEFT.pdf from 2010 and that it wasunclassified. I I is not aware of any classified information atthe Leso.

- 1-


Date of transcription 05/01!2012

'/J .,FD·302 (Rev. 10-6-95)

;S: \DRAf'I'S\SPRU!'l'T\1.22sp0212. wpd

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.

b6b7C

by S_A~.~I ~I~~~ ___Date dictated Not dicta ted

at Jacksonville, Florida (telephonically)Investigation on 04/2 7/2 012

File # 288A-JK-53354 ,/ '%

b6b7Cb7D

I toL

After receiving the emaLL, several LCSO members contactedreport the incident. I I stated I

~ Lake b6Coun t y SheL:-r~~"""lf"""lf....,r-s~o~f""f""'i~c-e~('""'L""'C'="'S'="'O=:"')!'"",-'I"'IF.....l~o~r~l.~d~a~w~a~.s~l.~n~t-::-e~r~v~l.~e-::-w~e~dT"""'Ib~ythe b7C

Fede ra L Bureau of lnvestig'ation (FBI) regarding a recent computerintrusion into LCSO. After being advised of the identity of theinterviewing Agent and the nature of the interview, I I providedthe following information:

I contacted FBI Special Agent (SA) I b6b7Cb7D

- 1 -


05/01/2012Date of transcription

•\!.;J \:;; ~4

FD·302(Rev. 10.6.95)

CONF1nENT1Ali/IFeI ROe/REI;; '1'() ugh 1 ROU

b6b7Cb7E

(U) Legat Bucharest's coordination with the FBI's CyberInitiative and Resource Fusion Unit (CIRFU) previously identified

blb3

Sources

blb3b7D_nonymous

Anonymous RomaniaTitle: (U)

Case 1D #: (U) 163K-BO-893 (pending)A3 tit(U) 288A-JK-53354 (Pending)"

Drafted By:

Approved By:

b6b7C

ALAT~ __ ~===- ~

~_____.DDFrom: Bucharest

Contact:

Attn:Jacksonville

Attn:International Operations

b6b7C

CCU1, SA ~I;::::::=====!...,_ .....CCU2, SSASSAI~~Ir-a-------"II-----JEurasia Unit, SSA ....1-----.,

Attn:CyberTo:



CONFIDENT1Al:i/IFeI ROe/RELI '1'1' liSA 1 ROU•

CONE'IIlElIl'1':tAL//PEU ROe/REL '1'0 USA, ROU

2

blb3

b6b7C

(U) On 4/21/2012, ALAT L..I__ ----II contacted LCSO andthe d . administrator there, I I e-mail

regarding the possib~l~ty of an ~ntrusion.L..-._~ acknowledged the notification and began conducting researchto veri,fythe intrusion.

b6b7Cb7E

To: Cyber From: BucharestRe: (U) 163K-BO-893, 5/02/2012

cONFtIN'l'IALI /EGI RO~/RElL 1'0 USA!ou

..,r

blb3b6b7C

3

CONFIDEN'I'IAL//FSI ROuiML TO USA, BOU

Cyber From: Bucharest(U) 163K-BO-893, 5/02/2012

To:Re:

CONFIDENTIAL//PS! OO'6i:REL TO USA, ROU

(U) The information resulted in coordination with CyDand JK Division, resulting in the initiation of case 288A-JK-533S4.

4

blb3

To: Cyber From: BucharestRe: (U) 163K-BO-893, 5/02/2012

f'UlIIFT1r, ......."' ......,._, ' ..."T e!= ~.L>J..&r ~,-,-i:'"0i:I::c ROU/REIi r;ro TTSl§ j goOt • '\

jC)··························· .

CONFTDEN'l'lAl://FSI ROe{REL '1'0 "SA, ROU

••(U) For infQrmation.

ALL RECeIVING OFFICES

Set Lead 1: (Info)

LEAD (s) :

Cyber From: Buch_arest(U) 163K-BO-893, 5/02/2012

To:Re:

- " ,- .eMF IDEfII'!'IAL, ,-FSI ROU, REL '1'0 USA~QU" .. .' "'t

5

b6b7C

..

CLASSIFICATIONLEVEL ATfENTION: S_.:.;._'A---1!i...,___ ___J.--L.. ....J

(QJECKONB)

cUNCLASSlFIED· NOTSENSITIVE

<!~s;nw CO~IAL

TO: cAlbany cHouston cNorfolk cAbuDhabl o Jakarta cSeoulCAlbuquerque c Indianapolis oOklahoma City cAmman cKabul oSingaporcCAncborage ClJ~ cOmaha oAnksra o Kiev cSofaaoAtlanta ~ OP~tadcJphia oAstana o KualaLumpar oTallinnoBaltimore Cl Kansas City cPhoeniX cAthau CLagos cThilisi

ClBinningham oKnoxville oPiUsburgh o Baghdad o London CTclAviv

CBoston o Las Vegas oPortland o Bangkok cMadrid CTokyo

CBuffalo ClLittle Rock CJRicbmond CBcUfng CManila OVienna

CICharlotte oLos Angeles Cl Sacramento CBeirut cMexlco City o WarsawoBctlln cMoscow E:l

ClChicago Cl Louisville CISaint Louis cBern cNairobiCJCincinnati ClMemphis c:::JSaltLake City o Bogota cNewDclhiCJ Cleveland CJMiami ClSan Antonio CBrasllia o OttawaoColumbia CJMilwaukee ClSanDiego CBridgetown o PanamaCityCDallas t:::IM'mneapoUs CSan Frimcisco o Brussels oPerisCJDenver ClMobilc cSanJuan o BuenosAires ClPragueCDetroit CNewark cSeattle oCalro CPretoriACJElPaso ONcwHavcn ClSpringficld cCanberra. ClRabatCFBIHQ ONcw Orleans ClTampll cCaracas o RiyadhClHonolulu cNcw YorkCity cWasbing10n Pield CJCopenhagen CRome

pDakar C SanSalvadorIJ:JButt~ose CQuantico (ClRG) c:J Savannah asc cDoha CSanaa

Cl Cluksbmg (CJIS) OQuan(lCO(Div. 2) Cl WInchester (RMD) OFrec:town CSanliagoOFt. MonmouthITC C Quantico(ERF) J:J oHongK'Ong C santo DomingoCPocatelJo ITC 0Qllantico (Lab) cIsl~abad c S1lI'8jcvo

FOR INTERNAL USE ONLYLegat ..BucharestNaDle.~· _Legal Attache

.'-U.S. Embassy ..Bucharest5260 Bucharest PlaceDulles, VA 20189~--~-----------(011-4(}"21)200..3339

blb3

blb3b7D

b6b7C

CbNFIDEN'!'I1Gi//FGI ROe,'ML '1'0 uSA, Ron

Svnppsisu; tII:!Q!Jmt-$ylu

Drafted By: '_____~IDCase ID #: 163L-BO-893 (pending)...-I'\'

288A-JK-53354 (~ending)/IO

Approved By:


IC)

Attn:Jacksonville

I' I regard1ng theAnonymous Romania hack ,into the Lake County Sheriff's Office.

Derive~iple SourcesDeclas~0502

Title: ANONYMOUS ROMAN1A.

From: BucharestContact: ALAT ~I---r--,_---------~

CCU1, SA 1....,.. ...... _....,CCU2, SSA ISSA~I r--~SA ,...1 ........ 1SA ....1~_~ __ ____,I r----....,Eurasia Unit, SSA ....1__ ~

Date: 05/02/2012

Attn:To: Cyber

Precedence: ROUTINE


.CONFIOE»I'I'IAL//FGI ROeY:REL '1'0 USA, BOIT

IC)

(Rev, 05·01.2008)

CONFTOEN'I'lAI:! /FSI ROe/REL '£0 USA, ROU

2

b6b7C

(U) ALAT I I provided the l.ink to pastehtml.com toJacksonvi11e Cyber on 04/26/2012.

blb3

Cyber From: Bucharest163L-BO-893, 05/02/2012

To:Re:

CONFIIN'PIAL/ /FGI ROt1/REL'1'0USA!lou

CONFIDEN'fIAL//!GI ROO/REL fO USA, ROU

++

Read and clear.

AT EURASIA UNIT, DC

Set Lead 3: (Info)

INTERNATIONAL OPERATIONS

Read and clear.

AT JACKSONVILLE, FL

JACKSONVILLE

Set Lead 2: (Info)

Read and clear.

AT CCU-1, DC

CYBER

Set Lead 1: (Info)

LEAD (s) :

To: Cyber From: BucharestRe: 163L-BO-893, 05/02/2012

"

3

UNCLASSIFIED

b6b7Cb7D

IDetails: I

CIRFU searches on the

b7D

Title: ANONYMOUS ROMANTA

L...--....------'O (Case ID #: 163L-BO-893 (pending~

288A-JK-53354 (pending)..-II

Drafted By:

Approved By:

From: Buchares~Contact: ALAT~I ...,....._r- ___'

~

Jacksonville

To: Cyber b6b7C

Attn: UC !":;I --:::-;:r==::::::!...----...,CCU1, SA .1_.,.... ........ ___,CCU2, SSA ISSA I

Attn: SA ~I~-----------r-~SA L...- ___.r---___,

Attn: Eurasia Unit, SSA L....I __ .....IInternational Operations



UNCLASSIFIED•!t\.,

(Rel~05-01-2008)

UNCLASSIFIED

2

b7Dmet withALAT

b7D


UNCLASSIFIED ••

UNCLASSIFIED

••Read and clear .

AT EURASI-AUNIT, DC


Set Lead 4: (Info)

Read and clear.

AT JACKSONVILLE, FL

JACKSONVILLE

Set Lead 3: (Info)

Read and c.rear.

AT CCU-l, DC

CYBER

Set Lead 2: (Info)

3

b7Db7E

AT CIRFU, DC

Conduct I ~ and/or ~ny otherchecks for nicknames prov~ded and coord~nate anyresults with Bucharest and Jacksonville for

IrelevantpositiveI

CYBER

Set Lead 1: (Action)

LEAD (s) :


UNCLASSIFIED

,•

gONE'IDENTTls'fl//FGI ROY/~L 'fa USA( ReQ

blb3

Il'l

Sources

oman~a, reporte

blb3b7D

ANONYMOUS ROMANIATitle:

(Pending)";JJ(Pending)....l~

Drafted By: I I IL--------L____J

Case ID #: 163L-BO-893288A-JK-53354

From: BucharestContact: ALAT I~-----r------~----------------~

Approved By: I~--------------~


Attn:Jacksonville

CCU1,~~A1

b6CCU2, b7CSSA I

ISA ISA I IEurasia Unit, SSAI

I b6b7C

Attn:To: Cyber


CONFIDEN'!'IAL//P(!! RO'6/REL '1'0 USA, ROO


blb3

2

~ONFIDEN'li Iln,llFGI Reg/REX. T!! OSA, ROO::

To: Cyber Frpm: BucharestRe: 163L-BO-893, 05/10/2012

blb3

3

CpNFIOE~ITIliL//PS:f ReetREL '1'0 aSA, ;OTJ


...I CONF&I'.1.'lALI /PS! ReetREL '1'0 aSA~OIJ

CONFIOEN'!'IAL//FSiROe/R!lL '1'0 USA, BOTT

• +

Read and clear.

AT EURASTA UNIT, DC

Set Lead 3: (Info)


Read and clear.

AT JACKSONVILLE, FL

.JACKSONVILLE

Set Lead 2: (Info)

Read and clear.

AT CCU-I, DC

CYBER

Set Lead 1: (Ipfo)

LEAD (s) :


,...

J. CPNF:lN'l'Ila/ /PSl: ft06/REL '1'0 gSA~OTT

4

./ ReqUItesthat an exptanatlonbe attachedand loadedInto ISRAAfo( recovoryoverS1m andPElP over$5 m, dISruption.drsmanucment, anddrug secures,

b6b7C

I SerialNo.of FO·515

I 1.&:\

ISocialSocurotyNo. (if ava~able)

I

DOeccased

E. lIost390S(S) Ro!o~sod Oalo: _

Releasedby:DTorrorist 0Other

Numberof Hoslagos: _

x AddItionalinformationmay beaddedby attachinganotherform ()t a plainsheetof papor foradditionalentries., Seecodes on reverseside•

fot ...,_</CoII'iIcOoOMO<tf'oSvb.<><I' .... 1odIO.VILCN."" ..", ~""Cr_ (AOC~_00ll....'0<1o-..."e '(I()C~1l.... ~""MI.,.c....Of>O"'\. Car_ .....Of t:o.,...,()r~"""'"0-_Ctou:>.CoMpIol. f().S 15.>.$<I, I e~.I\-E """"'''''Y.r ... '''WOP'-o Sub,,,,,'o,",,,,, 10.... OCf~ otOb""""". VCMOI'W-NO!","",Ca"Q SUo!O?Y"'0" g""'l>.Qt • VCMOPIOQIAI'I110>1""'"rrOOlty... ~....... !;vQ<41J1_'~f()'51S..s.o.1 """",A-(;o<>Y_

II

P.Subjocllnformatlon • Required for all blocks excluding block 0 (Recovery/PElP), blocks E,I, Land N

NameI Oateof Birth

I 1MI Raco" I Sex

CompletionOfFO·515aSide2 Mand~lory

I.Olsruption/Olsmantlemont: '"

Yellrs Months _

'" Amount SCode •

DPrclrial DiversionAmount S _

O.Recovery I Restitution / PELP XoFedoral olocal OlntcrnatiooalRecovery Oale: _Code ' __ ", Amount $ _Code' _,__ .r Amounl $ _

Restitution Oato: _

OCourt OrderedCode' __ '"PElP Oalo: _

C. Summons Date: _

oFederal 0 local

O. Locale I ArrosloFederal OLocal .I8I!nlornatlonal

SubjectPriority: OA~B l8lClocate Dale: .5/J.9. Jol ~Arrest Oato: sh f/aol "

'{oSubjectResistedArrestoSubjectArrestedwasArmod

IndiclmenIOale: _

A. Comp!alnt /Information/lndlctment

Qedorlll DLocal OlnternatronalComplaint 0310: _

Check if ClVltRico Complaint 0Information Oale: _

2.

Suspended: Years Months _

Probation: Years Months _Flnos:, $ _

O. Child Victim Inforrnatlon

Childlocated/ identined Date: _OismanUomentOato: _

N.Drug Solzures.r 0310: _

OrugCode' -::- _Weight Code' _FDIN _

00 nol indicale$ in Section0

M,Acquiltall Dismissal/,Prolrial Olvors!on(Circleone) Oale: _

Name:·

1.

In Jan:

H. Sentenco 0310: _SentencoType:_ • , •

l. Assot Sei~uro Oate: _Asset Forfalture Oale: _CATSIIMandotory _Circlebelowone of the threeassetforfeiture:Admin, Civil Judicial, or C(imlnal00 nol indlcate-Svaluein Section0

BsuspenSionDebarmento Injunction

K.Administrative Sanction 03te: _SUbJoctDescriptionCode _'Type: length:

Dpcrmanonlor

Yoar Months__IICountsSectionTitle

G. U.S. code Violat!onRequired(or sectionsA, B. r:and J(Fed()raIOn!y)

Convictlan Oalo: _

SubjectDescriptionCode • (---) ,

for SF.G, H·lncludaAgoncyCodeoFolony or OMisdemeanoroPlea or oTria!State: JudicialOistrict;

o Federal

F.Conviction

..OisruptionOato: _

J. Civil RIco Matters Oate: _Also complete'Sochon G'Other Civil Matters OMo: _Judgment__ ' '

JudiCIalOutcome • xAmountS _

Suspension;Years__ Months _

OChRospOM

~or.lang ASSI.~onF6Ilabe:

ee-sc

eons""Mon.ELSUR/FISC

ELSURIT.IIIEng. fJeldSpl.Eng. Tape Ex.

'Legats AnI.

Evid. Purctlaso

InflONlnfolab Oiv. Exam

b6b7Cb7E

Aireron Asst.Computer

2.AssistIngAgencies x •

TaskForce

PPP

InI(~G3rdlCyOOFClCIO

Assetfori ProgfOIlS~wortProtTFOSICTO

CXSICTO

CART

10WanlOdFlyet

SARs

vUe·OSC

~v·OSC

~CAVClV~CMrlnVNSl!IIdAS$~wNcq ••FO(

~lsisne9'l~RTAsst.

Tcct~AglEqvlpPhone TollReoUCO·Group'

UCO·Groupli

Sc3lChwarranShow Money

SOGAssl.

PenRegistersPholoCover

Polygraph

IAT Rate ro IAT Rate FO IAT Rata FO IATRato FO

Investigative Asslstanco or Technique Used1.Used,but did not help 3. Helped,substanliaUy2. Helped,minimally 4,Absolutelyessential

For Sub, Invest.Assist. by other FO(s) indicateA. O. C, 0 for correspondingFO

AssistingAgentsSoc.Sec.No. x11 INamJ

RAIAsst. FO(s) I

A. O. C. O.

AccomplishmentInvolves:(checkall that apply) I F~oNumber I

Orugs B 0i8}iA-JK-S335l/A Fugitive I StatAgentSoc.Sec.No. IBankruptcyFraud E IComputerFraud/Abuse ~!Corruption01 PubliCOlliCial 0011 I StalAgentName:::J' Moneylaundering 1-__ ;;';;:::':';ll::.:':':':'~::;'I __ -!Sub InvoslAsst by FO(s) q "------- ........,

I

nate loader's Initialsb6b7C

Accomplishmenl Report(Accomplishmenlmust be reportedandloadedintoISRAAwIthin 30days fromdate 01 accomplishment)Dov.8.30.2010)

Squadsupervisorapproval(pleaseinitial)

-2-

9A CI>,'dc....provj"'~911 Ckrl')'9C Athl<ti. (,0Kh9J) T.w...~IAi<le9H law Ui[on,('I'flj,."!I\II'ersoMd,)1~ ("oUl\S(lor90 R<I>t>vc911 Sltan.:cr91 0Iher

CIIII.P1'lItllATOIIS

.!.U:!!!::!lli3A AUOther Subjros811 ('o""",ny '" ('o.ror:l,ion

'A lWlI.Om",~" II H"'" C"'l'loY'""

!lANK .:r.lrl,Ovn~"

6N State Prosecutor6P Statol.ow r"'(0I'00"eI1100i<cf6Q Sure-AIIOO""6K Ma)'Ol6S Lo.:.>II.q;l,l.tor6T 1"""l1l1dgcIM'l:'s",'.6U to.::all'ro$«uIO<6V 1",,~I""w 1:"(0"'01'<111 Ofli<cr6W loo.',I-AII0tI>cn6X C<>unI)'Conll1l;s,;"nct6Y CllyCo"""ilnwl

4A KnownMcmwQr.T<n"\)1u, Organit>uon411 1''''''bfeTnroIUIM.mb<r

Q' S)TnP>'l>iLCt

·ItJ(R()RJ~'TS

lA I.<g>lAI,<I'I311 1IIq:>lAlicnJC .'orclgnOmciolWlout

ViplOlN-uc: Inun~i'y3D U,N.~~Ioy« WI"",

DiplQlmtl(" Imm~il)'Jll J'orcignStud<n131' AIJOthm

HlRt'lGN NA'IIOSAIS

2A TopTa,,,, to, t'ug,tive21l TopThi<f2(' Top Con M..

KNOWN ('KI~IINAI.s

lIos.Un<JcrlJosoeon.is.li=A<tin.: BessC>pod<I.;noSoldfa

II',:~IIII:II,

C;OVt:JtNMt:NTSIIJU.:C'rs(6t;6G, 611.Inclu<leAgf"'Y (,O<k)

6A r....id<ntiaJ Appoilll<x:611 U,S, ScnatorlS .. rru: U,S Rcpre><nlOuvelStarr61) fcxkt.uu.%.n.lagl$tn,e6t! J'cdcr-.Ip~r61' .' • .)" .... L:ow [nfOlc<nl<lll om""w t'cdo:r.1 Cmploy«' GS J) &..Al>ov.611 ~"cdo:r.Il:mploy«. OS 12& lleIow6J GOYmm6K Ll. Gov""",61. St)te J..4o&isl.tor6M S... eJoo':<lM.~istra..

SI> r, esidcnt$I! Vi«o-P....Kl<nt$1' TI'<..",~rSO s«r<W)l/rl'CON<~$11 ll""",.iv.lloard M<ln()<r51 lIoslnas AJ:cnt$J k~alUtivc~" ~3IIi ...~1. lI .. in~ Man>!:er~M !'.nonciaJ S"'fct>rySN K.'«>rdi",S=tury~l· 00;\.'(' MaNger~Q Cr",k5R SI>o;'>S.eward55 M",>b<~ST '(nISI""~U OIl,er

OJH:ANll,t:1lclu~n:~

SUII,n:CTnt:SCUIP'I'IONcom:s

GM Gt;U1~$)lW Kil<>gr'I1l(S)I.. Li!<t(.)~Il, Milhht.,(s)P Pbnt(.)I)U l>osoS.Uni'(s)

Illllle Wt:,GIII' ("()Ut~~

CJ C<>nstnlJ""!:>ncnlco C<>urtOnJon-dSct"cmcnI01' Def.ult Jud-.:,ncnIDI I>i.m~IN J""g1l><I" Notw11h>1on<J10!:MV Mncd Verdict81 S",nm>IY1""!:>ncnIVI> V¢rd1<1(<< Deftnd.v>tVI' Vmll<l (or I'J.;n,i.f

coc ('(>..1in<:III,R lI"I"O'nIlSJI IIashishKAt Kh31lSI) I,sOMAR M.. iJI.Ot\OMDM Mcthylcned'O')'In<tJwnfll«>n'''''Mer M<I}",nph<umincMOR Motphi""OPM OpienOft) OIherdtlrj;S

A s"bied W>nt<d(01 enol<>o( viol<r>ce.(I e, , """do:r,nuns4\JShta.Jorobl< rape)>pins' another '",,"vid .. l« _v""cd ofw<h a aim" In ,he J>3>Irivcrc=

II Subject """,<d (or aim"" involv"" loss«d¢sI'uctionofprol"'1y voIocd in excessof S2S,OOO01 convict<d o(sud>. en'''''in.he ~ fi"" YO"'"

C AUotl>.:rsubi«u-IllHJC:C()t)K~

SIIIIU'C'r 1'lUOllrrV

AG AS""<:I11<n'ilK 14m'dIKanov<dCC Ci,il('Qn(""'fIIDC I>>>clplln>!)'CNI1."<$fl t,neFI I'rclimin>ry InjunctionFR T~R<>It';nin.:OrdcrPS rrc-riH,,; Satlcma~RN ROIl'"'ionSI' S.,penslonVR Volunto>y R.. il»",ionOT OIll<'l'

Air Force om..,o(sp«iaJlnv<Stit.bon<AnnyClimiruJ Inv.,..;;.uve Smi«llurc.>lIo( Alcohol, Tob.>«o& .; re..,,1$1l.. ""uoflndi'onAlTairs(.\o;,onl$ andHonk< I'ro,"";on1)«.".., Contn<l AIId,' A;<n<yDe(en><:Crin';n>I.lnvcsl".tivc Savke0.'-'0: [n(orccm<nl Ad:niniotra"Dn~",",of(,orroctionslh-pt.o( In,erio<V<pt. o(Ilomdw S«»rity[nvironma>U1 Pro,«:Iion A~<n<yf<dcr:ll Aviation Admin4~,ion1'00<1and ON!: Adminislt'lIonDcpt.'oWcallh & II"",.,.. ServlccsI>cpc. ofllousin.: & Urb.ln DevclOI'Il_1lMliU;.tion >rod (,,,,tenU I:nforccm<nl1nt<tN1 Revenoe Seviee1'1'11Acronollli<s &.51»<0 AdminN.n NARC Honlet IntmlictionN.voI Criminollnvcst,s-livc S<I\'i.:eRoyal CoNdi .. Mountcd PoliceSm.lll1usln<>'SAdln",MuonUS. ('_, Gu>tdU.S, tx.·p.. t",<t>t o(S.. teU.s, M.I>NI$ ServiceU S~Posw SctV~CCUS. S.uct serviceU.s, 1)"""'y1"".1e,yCo""'YS"'eOther

MOSIACISUATFiliAClIPDCMDCISVIlADOCDOlOilSI:PAI'AAl·llAUIISUUI>ICI!IRSNASANUISNCISRCMPSllAUSCGUSOSUSMSUSPSUSSSusiaweCITYCOUNSTOTUR

JUI)1('IAI.01,rCOMt:

A A.i.,.tl·>cifid.l~II UI><:kI Indl#11AI1)CncatfiU Unlr.ownW \Vhil~X Nonj,..hvi<fu>1

Z2 0,,,,,<11<>.S,oel.slllo<ld>lC"m-n.;ylN,..'OIi.t>Ie rn.uunentS

2J Co""roclVl'ir:l,<d SoundRCO)rdll~~s« Motion PKtm:::

24 II"'" Thcl\ S<ha"" Abort<dlS Ronson"u.ortlOll or Ilribe

1)aNn<! Abortod26 Thtfl I'rom'or Frolld Apr""

Govan",,,,. Sd><me AI>oo1«l27 C<>,,..,,,,,,," or ~I

'11><[1 SdlCnlCAbortodJO "'10th«

1'.'1,1'('()lIK~

CI'· 'Copiul P",i$hn>mtJS J';IS",.""",LI' WoP"",1elS 1.l(eScnloxcNS NoSeoteece (S"l>jedis • fugibve,

Ins>ne, Nufo<d, I.. Co<ponIion orm",' p>y rUle ""Iy)I'll Probotion5J Suspension'o( Joll Sa>'mo<VC YoulhC.omx~ionAct

01 c..-.h02 S.ods.1londs 0<N,..'Q~Imtnm:nl>OJ G<n<r>1K..... IMmhond...,01 Vd,icl<$OS I Ie:>vy Mod"n<I)' & r.q"pmo:n.06 Ainnflen Jew<11)'OS V....,I.09 ArI, AnU~ or K.... Colk><li<>n>II RnIProperly20 AIIOth<t

l'IHlP.:!l'l'V ('()1m;

For Further lnstructlcns Sec: MAO I', Part Il, Sections 3·5 thru 3·5,3,Revised 12·19·2006

Accomplishment Narrative

................................ -.-" _-_._ -_- -.._ _._ ..

Section Count--------------------------------------------------------

Title

United States Code Violation

................................ -.-'-~".--.- _-_ ..

b7E

1 = Used, but did not help2 = Helped, Minimally3 = Helped, Substantially4 = Absolutely Essential

11HQ

Squad Task ForceRA

VICT-YITN COOR10 YANTED FLYRSARSCARTASSET FORF PROFORF SUPPORT PTFOS/CTDCXS/CTDINFRAGARD/CYDOFC/CIDPPPFUSION CENTERS

._____ ___.UIIIII

............ -_ ... -.+-__.. -.-"""'''''

Arrest is for Federal, Local, or International (F/L/I)••Arrest Subject Priority (A/B/C)••••••••••••••••••••••••• : CDid Subject Resist (Y/N)•••.•••••••••••••••••••••••••••• : NYas Subject Armed (Y/N).•..••••••••••••••••••••••••••••••: N

b6b7C

Assisting Agents SOC Subject Name

b6b7C

CO - NAr BACNCAVC/VI-CAPCRIM/NS INTELCRIS NEG-FEDCRIS NEG-LOCERT ASSTBUTTE OSCSAV OSCPOC SCFT. MON-NRCSCFOR LANG ASSTNON FBI LAB E

LAB FIELD SUPPEN REGISTERSPHOTO COVERGEPOLYGRAPHSRCH YAR EXECSHOY MONEYSOG ASSTSYAT TEAMTECH AG/EQUIPTEL TOLL RECSUCO-GROUP IOCO-GROUP II

INAN ANALYSTIRCRAFT ASSTOMPUTER ASSTONSEN MONITRLSUR/FISCLSUR/IIING FIELD SUPNG TAPE EXAMEGATS ASST.VIDNCE PURCHINFORMANT/CYAB DIV EXAMS

Investigative Assistance or Technique Used

NNNY

Assisting Joint Agencies

Stat Agent Name: IStat Agent SOC.: .__ ___~

SENSITIVE / UNCLASSIFIED***************** ARREST ****************

Sub. Invest. Asst by Other FOs:

Corruption of Public Officials: NMoney Laundering. • • • • • • : N

Drugs • • • • • •A Fugitive ••.•••Bankruptcy Fraud. • •Computer Fraud/Abuse.

Does Accomplishment Involve

Case Number: 288A-JK-53354Serial No.: 15

05/31/2012

Report Date: 05/31/2012Accom Date.: OS/29/2012

This document contains neither recommendations, nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it andits contents are not to be distributed outside your agency,

By: SA L-I __.

Assistant Legal Attache

SA~I --I

FBILegal AttacheI I

b6b7CYours truly,

b7D

DearL-I .....

RE: Anonymous Romania

b7D

1 June 2012...~'> .,. l~

File No. 163L-BO-89.3; 288A-JK-53354

Office of Legal AttacheBucharest, Romania

Embassy of the United States of America

•

b7CUNCLASSIFIED//FOR OP'FIC!AI:i USE g~la:iXFTs~~~~150312'WPd

(U/~LCSO was contacted and'advised of the arrestand stated that they will continue to coordinate with the FBI onany press releases they provide. ~ ~

b6b7C

(U/~ALATI Iprovided a link to the officialpress release which was printed out and placed in a 1A and sentto the file.

b6b7Cb7D

I(ULI_ru:\U()_) I

b6b7Cb7D

Synopsis: To update case on arrest of multiple individualsrelated to the above referenced investigation.

Title: UNSUB (S)iLAKE COUNTY SHERIFF's OFFICE - VICTIM

(Pending)Case ID #: 288A-JK-53354

Drafted By: ....___------'lD

Iadvised thatDetails: (UII~~TT~\On 5/29/2012 ALATI

Approved By:

b6b7C

From: Jacksonville11Contact: SA ~-,~==,- ~

I

To: Jacksqnville


UNCLASSIFIED//FOR OFFICIAL USB ONLY=•(Rev, 05-01-2008)

Date: OS/29/2012Precedence: ROUTINE

UNCLASSIFIED/ /FOR OI:'!"Ie!zAfi USB ONLY

++

2

b7DLeso

~h~a-s--a-l~s-o--p-r-o-v~id~e-d~I----------------------------------------=;1copies of data from the intrusion which were shipped to FBIJacksonville on 5/25/2012.

To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, OS/29/2012

UNCLA~SIFIED/ lEOR Ol"l'Ie!!Afi USB Oly .

b6b7C

b7D

b7D

b6b7C

UNCLASSIFIED//FOR OI"£'ICfA:fi USE qR:r;axF'l'S~""----'11500112'WPd

Synopsis: To document rece~pt of evidence.

Details: {U/~OOOr- On 5/30/2012 Writer received two (2)shipments of evidence I I relating to the aboveinvestigation. The two (2) shipments contained the followingwhich were placed in evidence on 5/30/2012:

Item ff Descrip~ion


288A-JK-53354 (Pending)Case ID #:

Drafted By:

From: Jacksonville11Contact: sA~1--r-----T-----------------~

Approved By:

To: Jacksonville


FEDERAL BUREAU O,F INVESTIGATION

UNCLASSIFIED//FOR Ot'I"IC!A:!:I USE ONLY

(Rev. 05·01-2008)

b6b7C

b6b7Cb7D

b6b7C

UNCLASSIFIED//ECR Ol'Fl:€IAI:JUSE Y'biX;rs~r--""h5:[]O:!12'WPd

L~~ ......J and a copy p.raceoan a 1A and sent to tnefile.

IDetails: (U//FOUO) Writer has worked with the Lake CountySheriff's Office I

Synopsis: (U//FOUO) To update case and claim statisticalaccomplishments.


DApproved By:

Drafted By:\<\

Case ID #: 288A-JK-53354 (Pending)."

From: Jacksonville11Contact: SA L...- ____~

To: Jacksonville



UNCLASSIFIED//JiOROFl"IC!AI:I OSB ONLY

FD-S42 (Rev. 03-23-2009)

UNCLASSIFIED/jJ!OR OFP'!€IAL USE OlSlLY

2

b7ENumber: 1Type: CIP CASEITU: CIP ~--------------------------------~Claimed By:

b6b7C

Number: 1Type: CIP VICTIM CONTACTED/INTERVIEWEDITU: CIPClaimed By:.--- ~

SSN: IName: ~Ir-----L..--...,Squad: 11

b6b7C

Number: 1Type: CIP SUBJECT TOOL/EXPLOIT/MALICIOOS CODE IDENTIFIEDITU: CIPClaimed By:r--- ...,

SSN: IName: ~I~------~--~Squad: 11

b6b7C

Number: 1Type: CIP SUBJECT IDENTIFIEDITU: CIPClaimed By:

SSN: 1"'"1 ---------,

Name: ~I~ ~Squad: 11

b6b7C

b7ENumber: 1~ ~Type: CIPI IARREST/SEARCH WARRANT CONDUCTEDITU: CIPClaimed By:

SSN: ....1------,Name: I~~ ~Squad: 11

b6b7C

b7E

Accomplishment Information:

To: Jacksonville From: JacksonvilleRe~ 288A-JK-53354, 5/31/2012

Number: 1Type: CIP CASEITU: CIP ~--------------------------------~Claimed By:

SSN: 1"'"1 ------,

Name: ~I~~ ~Squad: 11

UNCLASSIFIED//F!lOR OFFIOIAL USE ONLx

++

3

b6b7C

Number: 1Type: CIP VICTIM CONTACTED/INTERVIEWEDITU: CIPClaimed By:~ --,

SSN: IName: ~I~ L-__~Squad: 11

b6b7C

Number: 1Type: CIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIEDITU: CIPClaimed By:

SSN: r-r---~Name: lL- .....I

,Squad: 11

b6b7C

Number: 1Type: CIP SUBJECT IDENTIFIEDITU: CIPClaimed By:~ ~

~!~~:L..~r----___'_--.....,Squad: 11

b6b7C

b7ENumber: 1~--------~Type: CIP~ ~ARREST/SEARCH WARRANT CONDUCTEDITU: CIPClaimed By:~ .....,

SSN: IName: ~I------~--~Squad: 11

b6b7C

SSN: ~I .......__--,Name: I~ ~Squad: 11


b6b7C

UNCLASSIFIED//EOR IJFP'!€!IALUSE gr'l\tIIFTs~r--.....u5£Oo212.wpd

Details: (U/tF05ot On 5(30/2012 writer received tw~ (2) shipmentsof evidence I . relating to the above investigation. The b7Dtwo (2) shipments contained the following which were placed inevidence on 5/30/2012:

b7E

b6b7C

Synopsis: To document

Title: UNSUB ($);LAKE COUNTY SHERIFF's OFFICE - VICTIM

.____------JlcD( Lnq) .'" dOPend~ng

Approved By:

Drafted By:

Case ID #: 288A-JK-53354

From: Jacksonville11Contact: SA .___;:::=::::;- ----'

To: Jacksonville



UNCLASSIFIED//FOR OF£lIC!ALOSE ON~

(Rev. 05.01:2008)'

''c.j,' • '. ..

2

UNCLASSIFIED/ /'ilOR Ol1'£o'IC!Afi eSB ON~

.+

b7EI(u/tt?Sgg)- CART made copies of the above media I


UNclsSIFIED/ liaR OFl"le!AfI ~SATOf.. . Ii

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it andits contents are not to be distributed outside your agency.

By: SA.....I .....Assistant Legal Attache

Legal AttacheI I

b6b7C

b7D

Dea~ b7D

RE: Anonymous Romania

b7D

Office of Legal AttacheBucharest, Romania

Embassyof the UnitedStatesofAmerica

6 June 2012'Y~ ?-\;' ,-

File No. 163L-BO-893; 288A-JK-53354

b6b7CATTENTION: ~L _ __J-I ..L-I __ ....J-CLASSIFICATION LEVEL

(<lma0NB)

i$'UNCLASSlFIED- NOT SENSITIVEc::JUNCLASSIFIED- SENSITIVEc::JCONPJDBNTIALCJSECRET

TO: cAlbany cHouston cNorfoIk cAbuDhabi CJaIcartB cSeoul

CAlbuquerque CJ Indianapolis oOklahoma City cAmman cKabuJ cSingaporet::IAnchorage

~

oOmaha cAnkara CKiev cSof.a

CJAtlanta e O})h]tadeJphia cAstana C KualaLumpar oTallinn

t::J Baltimore ty OJlhOenlX cAthens cLagos cThilisi

CJBinningham C Knoxville cPittsburgh cBaghdad CLondon CTclAviv

CJBoston cLasVegas oPortland CBangkok CMadrid CTokyo

ClBuffalo CJ Little Rock CJRicbmond cBeijing oManila CVienna

CCharlotte oLos Angeles CSacramentoo Beirut cMexlco City CWarsawo Bedln cMoscow C

CJChicago Cl Louisville Cl Saint Louis cBcm cNairobio Cincinnati t:lMemphis t:JSalt Lake City CBogota ClNewDelhio Cleveland o Miami aSan Antonio CBrasllla o Ottawa.I:JColumbia ClMilwaukee a San Diego cBridgetown o Panama CityClDallas c:JM'mneapolis c:JSan Francisco o Brusscls o Pariso Denver CJMobile OSanJuan CIBuenosAires ClPragueo Detroit ONewark oSeattle oCalro CPretoriaCJEIPaso ONcwHavcn c:::::JSpringficld cCanberra ca Rabat

t:JFBIHQ ClNew Orleans CJTampll. r::JCaracas CRiyadh

CHonolulu ClNew York City ClWasbington Field r::JCopenhagen CRomc!=JDakar C SanSalvador

r::JButt~osc c:JQuantico (CIRG) c SavannahOSC cDoha cSanaa

C Clarksburg (CJIS) cQuantico (Div. 2) o Wmchester(RMD) CFreetown C SantiagoOFt.Monmouth rrc CIQuantico (ERF) CI CJHong K-ong oSantoDomingo

cPocateUo ITC CJQuantico(Lab) clslamabad c::JSarajevo

FOR INTERNAL USE ONLYLegat - BucharestName~·__~ __Legal AttacheU.S. Embassy - Bucharest5260 Bucharest PlaceDulles, VA 20-189

(011-40-21) 200..3339

b6b7C

UNCLASSIFIED/ /OE'OR OFFI9IAL gSE g~t~TSlr--""'h6tOOl12'WPd

Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE,- VICTIM

.____-_____.D :>.:1-Case ID #: 288A-JK-53354 (pending)"

Synopsis: To document the receipt of a report b7EI lof data for the above referenced case for th~ period6/4/2012 ~ 6/8/2012.

Details: (U/~Writer received the following report from thefirst part of the data analysis of the Lake County Sheriff'sOffice data I ~ b7E

Approved By:

Drafted By:

b6b7C

From: Jacksonville11Contact: SA~I--,_---r--------------------~

I

To: Jacksonville

.FEDERAL BUREAU OF INVESTIGATION

UNCLASSIFIED/{FOR Ol"£I'ICIAL USB ONLY

(Rev. 05·01.2008)


b6b7Cb7E

2

UNCLASSIFIED/noR ClD'FI€HALUSE I !NLY


UNAsSIFIED/ (.FOR Ol"l"'Ie::fA!I US£LY:

3

UNCLASSIFIED/liaR !IOGFICIAL USE ()NL~

••

b7E


UNAsSIFIED/ lEOR Ol"l"Ie!A:f1USEtltr'f

~,. ...

blb3

blb3b7D

b6b7C

CONE'IDEN'l1IAL//F8:E R06iREL '1'0 ~SA, BrlIt

regard~ng member's ,ofIArn~o-n~y-m-o~,u-s~R~o-m~-a-n~i~a-.----------------~

Title: ANONYMOUS ROMANrA

..Synopsis;---{l/~o~ 00-+-

Case 10 #: 163L-BO-S93;288A-JK-5'3354

Drafted By:

From: Bucha re's t;

Contact: A.LAT ~I-------r--~------------------~Approved By: L--. __.L

~--O(Pending) ~-tJ"'(Pending) ,..,.

International- Operations

Attn: CeU1, SA. ,1-1.,..... ....1----,

CCU2, $SA. ISSA I

Attn: SA. ~I===='::::::::==::;-I-_,ISA I I

Attn: EUrasia Unit, SSA r-I --....,

Jacksonville

To: Cyber



.CONFIOgNTIAL//FGI RO:S-/REL TO II$A( ROU

(Rev. 05:01-2008)

blb3

2

cbNFIDEN'l'lAI;//FSI Rae/REI; '1'0 USA, ROU


To:Re:

CONFI!NTIAtilIF€I ROU/REL '1'0 TTSA,'tOU

blb3

3

CdNFIOEN'!'lAli//FSI RO'e/REL TO USA, gon

(U//F0f:10)Cyber and Detroit divisions confirmed thehack related to Berrien, Michigan.


To:Re:

•

4

ROUliSACONFTlle:NTIAIi//F8I ROu/REL '1'0


AT EURASIA UNIT, DC


Set Lead 3: (Info)

Read and clear.

AT JACKSONVILLE, FL

JACKSONVILLE

Set Lead 2: (Info)

Read and clear.

AT CCU-I, DC

CYBER

Set Lead 1: (Info)

LEAD(s) :

eyber From: Bucharest16JL-BO-B93, 06/26/2012

To:Re:

CONFI!N1!'IAL//FSI ROT:1/REL'1'0 uSA/lton

•

CONFIDENTIAL//FS! RO'6"REL ''£0USA, ROU

blb3

JI'I

members, activities, and plans.

blb3b7D

regard~ng Anonymous Romania's

Title: ANONYMOpS ROMANIA

sYnoPsisu:mmu(I~)mu+Ie)

Case ID #: 163L-BO-893288A-JK-53354

.,..'"(Pending);'~(Pending),.

Drafted By:

From: BucharestContact: ALAT ~I ~_~ ~

Approved By: U~-Attn:International Operations

b6b7C

Attn: CCU1,CCU2,CIR~F~UL-~~ ~lA

Attn: SA \--------....,...----.

SA ~-----~~SSA

Jacksonville



~1(Rev.05·01·2008)

To: Cyber

CONFIDENTIAL,../F6! Re'6/nEL '1'0USAI ROU

blb3

2

CONE'IDENT!:ATe/,'PSI M'g'/REL 'I'O USA. ROO


To:Re:

t

3

blb3

CONe' IDENTlAIi//F61 Roe/REL TO USA, ROH

To: Cyber Frpm: BucharestRe: 163L-BO-893, 06/27/2012

COUE'!!NfI1tLJ lEG! ROO, Hfi '1'0 eSA~

blb3

4

~ONFIDENTJ1n'l!FGI 009/REL TO uSA, ROU~

To: Cyber From: BucharestRe~ 163L-BO-893,06/27/2DL2

CONFI!N'l'IAL//EGI ROO/REL TO USA~U .

5

CONFIDEN'fIAL//FG! ROt1/ML fO USA, ROU


AT EURASIA UNIT, DC

INTERNATIONAL OPERAT'IONS

Set Lead 3: (Info)

Read and cl.eer .

AT JACKSONVILLE, FL

JACKSONVILLE

Set Lead 2: (Info)

conduct searches of relevant,dat.aae.ts andprovide any informat,ion on the channels #OpRomania and#tangodown. Also, provide any information on planned attacks onRomania due to the recerrtar-r-ests,of Anonymous Romania members i-fencountered.

AT PITTSBURGH, PA, CIRFU

CYBER'

'SetLead 1: (Action)

LEAD (s) :


To:Re:

e " , •CONFIDEN'l'IAL,TFG:f RO'tfrREL '£'0 OSA;-ioO

UNCLASSIFIED

b6b7C

Although Legat Bucharest would have liked to worktowards I I extradition to the United st.ates to faceprosecution, due to the extradition treaty between Romania andthe United States (US), he cannot be extradited until all legalproceedings in Romania, including the prison sentence, arecomplete. Once judicial authority has been requested in a

b6b7Cb7D

I I The prosecutor placedtwo of 't,hesubjects under arrest including the primary suspectimplicated in the Lake County Sheriff's Office (LCSO) computerintrusion, I J The other'personarrested was ~I __.!

b6b7Cb7D

Details: On 5/29/2012 I rSynopsis: Provide details of arrest and case update.

Title: ANONYMOOS ROMANIA

-;~(Pending)'"(Pending)",Ot1

b6b7C

From: BucharestContact: ALATI~ -r__~ ~

Approved By: ~I ~I c==JDrafted By: I 0Case ID #: 163L-BO-893

288A-JK-53354

Attn: Eurasia Unit, SSA '---__ .....International Operations

Jacksonville

b6b7C

Attn:To: Cyber



UNCLASSIFIED

~~(R,~v."QS·OI.2008)

Attn:

2

UNCLASSIFIED

Romanian investigation, such as a search warrant, the" police" areunable to pass the case to another jurisdiction for p.rosecut.i.on ,Addit.LonaLly , because" Romania charged the Leso in theirindictment, extradition proceedings would face a more fundamentaldouble-jeopardy issue in both the US and Romania.

TQ: Cyber From: BucharestRe: 163L-BQ-893, 06/25/2012

UNCLASSIFIED

------ ~~~~~~~~~~~~_____.

UNCLASSIFIED

••Read and clear.

AT EURASrA UNIT, DC


Set Lead 3: (Info)

Read and clear.

AT JACKSONVILLE, FL

JACKSONVILLE

Set Lead 2: (Ipfo)

Read and clear.

AT CCU-l, DC

CYBER

LEAD (s) :

Set Lead 1: (Info)

To: Cyber From: Buch~restRe: 163L-BO-893, 06/25/201'2

UNCLASSIFIED

3

FBI Anonymous Anti-Sec LCSO.org FOIA Documents

Documents

Transcript of FBI Anonymous Anti-Sec LCSO.org FOIA Documents